By Michael L. Smith, R.R.T., J.D., Board Certified by The Florida Bar in Health Law

Recently, major news sources covered a demonstration cyberattack on an automobile that was carried by researchers from Wired Magazine. The demonstration showed how the car's onboard computer was vulnerable to a remote cyberattack potentially leading to disastrous consequences. The manufacturer of the vehicle in the demonstration quickly announced a recall of approximately 1.4 million vehicles in order to perform software updates. To go to their website and find out more, click here.

One of the experts discussing the Wired Magazine demonstration identified cyber vulnerabilities of medical devices as a greater concern than the cyber vulnerabilities of automobiles.

Cybersecurity Vulnerabilities.

On July 31, 2015, just 10 days after the Wired Magazine demonstration, the Food and Drug Administration (FDA) issued a warning to all health care facilities using older versions of the Hospira Symbiq Infusion System stating the system was subject to cybersecurity vulnerabilities. According to the FDA, the systems could be accessed remotely through a hospital's network allowing an unauthorized user to change dosages administered by the pump. To read one of our blogs on a recent cyberattack on a hospital network, click here.

The timing of the FDA announcement appears to be entirely coincidental and the vulnerability of medical devices to cyberattack has been a concern for several years. In a 2011 demonstration, an insulin pump was hacked and directed to deliver a lethal dose of insulin. In another demonstration about a year later, an implantable pacemaker was hacked and directed to deliver a potentially lethal shock.

To date there has never been a confirmed cyberattack on a patient's medical device in an attempt to injure or kill the patient. However, at least three cyberattacks of medical devices that resulted in data breaches have been reported. In each of those incidents, the medical devices had been infected with malware, which allowed unauthorized individuals to access the hospitals' networks. The motive for these cyberattacks appeared to be to steal the confidential patient information contained on those networks, and not to kill or injure a particular patient. Medical records are extremely valuable on the black market so it is not surprising that hackers are looking for any route possible to access and steal those records. The hacking of medical devices is currently the easiest route for hackers to use in inappropriately accessing medical records. Click here to read the FBI's warning to health care sector vulnerable to cyberattacks.

How Do the Hackers Do it?

In one reported incident, three arterial blood gas analyzers were discovered to be infected with malware. The malware made it possible for unauthorized individuals to access the hospital's computer network and install other malware. The attack resulted in confidential information being sent to Europe. The hospital involved was not able to detect the malware through their own network protections because the malware was on the software of the medical device.

In the other two incidents, the system each hospital used to store and transmit diagnostic images was infected again by malware. The malware allowed unauthorized individuals to remotely access confidential patient information maintained on each hospital's system. The confidential information obtained in those instances was sent to China. Again, the hospitals were unable to detect the malware with their own security measures because the malware was on the software of the medical device.

Preventing Unauthorized Modification of Medical Devices.

These incidents should not be a surprise to medical device manufactures or to hospitals. In 2013, the FDA issued a Safety Communication identifying medical devices infected with malware as a major cybersecurity vulnerability. The FDA advised medical device manufacturers that they were to remain vigilant in identifying cybersecurity risks associated with their devices. The FDA recommended that manufacturers make sure appropriate safeguards were in place to prevent unauthorized access, or modification of medical devices. Click here to read the Safety Communication from the FDA.

Hospitals and medical device manufacturers should re-examine the FDA's warnings about the cybersecurity vulnerabilities of medical devices and hospital networks. Those hospitals and medical device manufacturers should also re-examine their security systems to ensure that they are protected from cyberattacks, including attacks by malware associated with medical devices.

Comments?

Do you think the FDA and DHS are doing enough to prevent cyberattacks? Please leave any thoughtful comments below.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigations and defending alleged HIPAA and FIPA complaints and violations and in advising on data breaches.

About the Author: Michael L. Smith, R.R.T., J.D., is Board Certified by The Florida Bar in Health Law. He is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com He is also a registered respiratory therapist with decades of hospital experience.The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.